Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft has issued an emergency patch revoking digital certificates used to sign the Flame malware.
The patch revoked three intermediate Microsoft certificates used in active attacks to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks”.
Microsoft also killed off certificates that were usable for code signing via Microsoft’s Terminal Services licensing certification authority (CA) that ultimately “chained up” to the Microsoft Root Authority.
The authority issued certificates for users to authorise Remote Desktop services in their enterprises.
Flame (Worm.Win32.Flame) had existed since 2010 and spread via removable media, according to the CERT, and by exploiting a patched Microsoft printer hole -- the same tapped by Stuxnet. It contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so.
Components of the sophisticated Flame malware were signed by the certificates using “an older cryptography algorithm [that] could be exploited and then be used to sign code as if it originated from Microsoft”, Microsoft security response centre senior director Mike Reavey said in an advisory.
The bugged algorithm “provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft”.
“Now things may make sense with the Flame hoopla: It used the fake, but ‘valid’, MSFT certificate,” SANS Institute chief research officer Joannes Ullrich said in a tweet.
The bulletin did not specify who accessed the certificates.
The thumbprints of the untrusted certificates:
Certificate
Thumbprint
Intermediate PCA
2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Registration Authority CA (SHA1)
fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
